shopify_app 17.0.1 → 17.1.0

data/lib/generators/shopify_app/home_controller/templates/home_controller.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class HomeController < AuthenticatedController
+  include ShopifyApp::ShopAccessScopesVerification
+
   def index
     @products = ShopifyAPI::Product.find(:all, params: { limit: 10 })
     @webhooks = ShopifyAPI::Webhook.find(:all)

data/lib/generators/shopify_app/home_controller/templates/unauthenticated_home_controller.rb

@@ -3,6 +3,7 @@
 class HomeController < ApplicationController
   include ShopifyApp::EmbeddedApp
   include ShopifyApp::RequireKnownShop
+  include ShopifyApp::ShopAccessScopesVerification
 
   def index
     @shop_origin = current_shopify_domain

data/lib/generators/shopify_app/install/install_generator.rb

@@ -30,9 +30,11 @@ module ShopifyApp
           copy_file('omniauth.rb', 'config/initializers/omniauth.rb')
         end
 
+        return if !Rails.env.test? && shopify_provider_exists?
+
         inject_into_file(
           'config/initializers/omniauth.rb',
-          File.read(File.expand_path(find_in_source_paths('shopify_provider.rb'))),
+          shopify_provider_template,
           after: "Rails.application.config.middleware.use(OmniAuth::Builder) do\n"
         )
       end
@@ -72,6 +74,33 @@ module ShopifyApp
 
       private
 
+      def shopify_provider_exists?
+        File.open("config/initializers/omniauth.rb") do |file|
+          file.each_line do |line|
+            if line =~ /provider :shopify/
+              puts "\e[33m#{omniauth_warning}\e[0m"
+              return true
+            end
+          end
+        end
+        false
+      end
+
+      def omniauth_warning
+        <<~OMNIAUTH
+          \n[WARNING] The Shopify App generator attempted to add the following Shopify Omniauth \
+          provider 'config/initializers/omniauth.rb':
+
+          \e[0m#{shopify_provider_template}\e[33m
+
+          Consider updating 'config/initializers/omniauth.rb' to match the configuration above.
+        OMNIAUTH
+      end
+
+      def shopify_provider_template
+        File.read(File.expand_path(find_in_source_paths('shopify_provider.rb.tt')))
+      end
+
       def embedded_app?
         options['embedded'] == 'true'
       end

data/lib/generators/shopify_app/install/templates/omniauth.rb

@@ -1,3 +1,4 @@
 # frozen_string_literal: true
+
 Rails.application.config.middleware.use(OmniAuth::Builder) do
 end

data/lib/generators/shopify_app/install/templates/shopify_app.rb.tt

@@ -1,17 +1,23 @@
-unless defined? Rails::Generators
-  ShopifyApp.configure do |config|
-    config.application_name = "<%= @application_name %>"
-    config.api_key = ENV.fetch('SHOPIFY_API_KEY', '').presence || raise('Missing SHOPIFY_API_KEY. See https://github.com/Shopify/shopify_app#api-keys')
-    config.secret = ENV.fetch('SHOPIFY_API_SECRET', '').presence || raise('Missing SHOPIFY_API_SECRET. See https://github.com/Shopify/shopify_app#api-keys')
-    config.old_secret = "<%= @old_secret %>"
-    config.scope = "<%= @scope %>" # Consult this page for more scope options:
-                                   # https://help.shopify.com/en/api/getting-started/authentication/oauth/scopes
-    config.embedded_app = <%= embedded_app? %>
-    config.after_authenticate_job = false
-    config.api_version = "<%= @api_version %>"
-    config.shop_session_repository = 'Shop'
-    config.allow_jwt_authentication = <%= !with_cookie_authentication? %>
-    config.allow_cookie_authentication = <%= with_cookie_authentication? %>
+ShopifyApp.configure do |config|
+  config.application_name = "<%= @application_name %>"
+  config.old_secret = "<%= @old_secret %>"
+  config.scope = "<%= @scope %>" # Consult this page for more scope options:
+                                  # https://help.shopify.com/en/api/getting-started/authentication/oauth/scopes
+  config.embedded_app = <%= embedded_app? %>
+  config.after_authenticate_job = false
+  config.api_version = "<%= @api_version %>"
+  config.shop_session_repository = 'Shop'
+
+  config.reauth_on_access_scope_changes = true
+
+  config.allow_jwt_authentication = <%= !with_cookie_authentication? %>
+  config.allow_cookie_authentication = <%= with_cookie_authentication? %>
+
+  config.api_key = ENV.fetch('SHOPIFY_API_KEY', '').presence
+  config.secret = ENV.fetch('SHOPIFY_API_SECRET', '').presence
+  if defined? Rails::Server
+    raise('Missing SHOPIFY_API_KEY. See https://github.com/Shopify/shopify_app#requirements') unless config.api_key
+    raise('Missing SHOPIFY_API_SECRET. See https://github.com/Shopify/shopify_app#requirements') unless config.secret
   end
 end
 

data/lib/generators/shopify_app/install/templates/shopify_provider.rb.tt

@@ -0,0 +1,8 @@
+  provider :shopify,
+      ShopifyApp.configuration.api_key,
+      ShopifyApp.configuration.secret,
+      scope: ShopifyApp.configuration.scope,
+      setup: lambda { |env|
+        configuration = ShopifyApp::OmniAuthConfiguration.new(env['omniauth.strategy'], Rack::Request.new(env))
+        configuration.build_options
+      }

data/lib/generators/shopify_app/shop_model/shop_model_generator.rb

@@ -8,6 +8,8 @@ module ShopifyApp
       include Rails::Generators::Migration
       source_root File.expand_path('../templates', __FILE__)
 
+      class_option :new_shopify_cli_app, type: :boolean, default: false
+
       def create_shop_model
         copy_file('shop.rb', 'app/models/shop.rb')
       end
@@ -16,6 +18,27 @@ module ShopifyApp
         migration_template('db/migrate/create_shops.erb', 'db/migrate/create_shops.rb')
       end
 
+      def create_shop_with_access_scopes_migration
+        scopes_column_prompt = <<~PROMPT
+          It is highly recommended that apps record the access scopes granted by \
+          merchants during app installation. See app/models/shop.rb to modify how \
+          access scopes are stored and retrieved.
+
+          [WARNING] You will need to update the access_scopes accessors in the Shop model \
+          to allow shopify_app to store and retrieve scopes when going through OAuth.
+
+          The following migration will add an `access_scopes` column to the Shop model. \
+          Do you want to include this migration? [y/n]
+        PROMPT
+
+        if new_shopify_cli_app? || Rails.env.test? || yes?(scopes_column_prompt)
+          migration_template(
+            'db/migrate/add_shop_access_scopes_column.erb',
+            'db/migrate/add_shop_access_scopes_column.rb'
+          )
+        end
+      end
+
       def update_shopify_app_initializer
         gsub_file('config/initializers/shopify_app.rb', 'ShopifyApp::InMemoryShopSessionStore', 'Shop')
       end
@@ -26,6 +49,10 @@ module ShopifyApp
 
       private
 
+      def new_shopify_cli_app?
+        options['new_shopify_cli_app']
+      end
+
       def rails_migration_version
         Rails.version.match(/\d\.\d/)[0]
       end

data/lib/generators/shopify_app/shop_model/templates/db/migrate/add_shop_access_scopes_column.erb

@@ -0,0 +1,5 @@
+class AddShopAccessScopesColumn < ActiveRecord::Migration[<%= rails_migration_version %>]
+  def change
+    add_column :shops, :access_scopes, :string
+  end
+end

data/lib/generators/shopify_app/shop_model/templates/shop.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 class Shop < ActiveRecord::Base
-  include ShopifyApp::ShopSessionStorage
+  include ShopifyApp::ShopSessionStorageWithScopes
 
   def api_version
     ShopifyApp.configuration.api_version

data/lib/generators/shopify_app/shopify_app_generator.rb

@@ -9,7 +9,7 @@ module ShopifyApp
 
       def run_all_generators
         generate("shopify_app:install #{@opts.join(' ')}")
-        generate("shopify_app:shop_model")
+        generate("shopify_app:shop_model #{@opts.join(' ')}")
         generate("shopify_app:authenticated_controller")
         generate("shopify_app:home_controller #{@opts.join(' ')}")
       end

data/lib/generators/shopify_app/user_model/templates/db/migrate/add_user_access_scopes_column.erb

@@ -0,0 +1,5 @@
+class AddUserAccessScopesColumn < ActiveRecord::Migration[<%= rails_migration_version %>]
+  def change
+    add_column :users, :access_scopes, :string
+  end
+end

data/lib/generators/shopify_app/user_model/templates/user.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 class User < ActiveRecord::Base
-  include ShopifyApp::UserSessionStorage
+  include ShopifyApp::UserSessionStorageWithScopes
 
   def api_version
     ShopifyApp.configuration.api_version

data/lib/generators/shopify_app/user_model/user_model_generator.rb

@@ -8,6 +8,8 @@ module ShopifyApp
       include Rails::Generators::Migration
       source_root File.expand_path('../templates', __FILE__)
 
+      class_option :new_shopify_cli_app, type: :boolean, default: false
+
       def create_user_model
         copy_file('user.rb', 'app/models/user.rb')
       end
@@ -16,6 +18,27 @@ module ShopifyApp
         migration_template('db/migrate/create_users.erb', 'db/migrate/create_users.rb')
       end
 
+      def create_scopes_storage_in_user_model
+        scopes_column_prompt = <<~PROMPT
+          It is highly recommended that apps record the access scopes granted by \
+          merchants during app installation. See app/models/user.rb to modify how \
+          access scopes are stored and retrieved.
+
+          [WARNING] You will need to update the access_scopes accessors in the User model \
+          to allow shopify_app to store and retrieve scopes when going through OAuth.
+
+          The following migration will add an `access_scopes` column to the User model. \
+          Do you want to include this migration? [y/n]
+        PROMPT
+
+        if new_shopify_cli_app? || Rails.env.test? || yes?(scopes_column_prompt)
+          migration_template(
+            'db/migrate/add_user_access_scopes_column.erb',
+            'db/migrate/add_user_access_scopes_column.rb'
+          )
+        end
+      end
+
       def update_shopify_app_initializer
         gsub_file('config/initializers/shopify_app.rb', 'ShopifyApp::InMemoryUserSessionStore', 'User')
       end
@@ -26,6 +49,10 @@ module ShopifyApp
 
       private
 
+      def new_shopify_cli_app?
+        options['new_shopify_cli_app']
+      end
+
       def rails_migration_version
         Rails.version.match(/\d\.\d/)[0]
       end

data/lib/shopify_app.rb

@@ -57,5 +57,15 @@ module ShopifyApp
   require 'shopify_app/session/session_repository'
   require 'shopify_app/session/session_storage'
   require 'shopify_app/session/shop_session_storage'
+  require 'shopify_app/session/shop_session_storage_with_scopes'
   require 'shopify_app/session/user_session_storage'
+  require 'shopify_app/session/user_session_storage_with_scopes'
+
+  # access scopes strategies
+  require 'shopify_app/access_scopes/shop_strategy'
+  require 'shopify_app/access_scopes/user_strategy'
+  require 'shopify_app/access_scopes/noop_strategy'
+
+  # omniauth_configuration
+  require 'shopify_app/omniauth/omniauth_configuration'
 end

data/lib/shopify_app/access_scopes/noop_strategy.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module AccessScopes
+    class NoopStrategy
+      class << self
+        def update_access_scopes?(*_args)
+          false
+        end
+      end
+    end
+  end
+end

data/lib/shopify_app/access_scopes/shop_strategy.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module AccessScopes
+    class ShopStrategy
+      class << self
+        def update_access_scopes?(shop_domain)
+          shop_access_scopes = shop_access_scopes(shop_domain)
+          configuration_access_scopes != shop_access_scopes
+        end
+
+        private
+
+        def shop_access_scopes(shop_domain)
+          ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(shop_domain)&.access_scopes
+        end
+
+        def configuration_access_scopes
+          ShopifyAPI::ApiAccess.new(ShopifyApp.configuration.shop_access_scopes)
+        end
+      end
+    end
+  end
+end

data/lib/shopify_app/access_scopes/user_strategy.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module AccessScopes
+    class UserStrategy
+      class InvalidInput < StandardError; end
+
+      class << self
+        def update_access_scopes?(user_id: nil, shopify_user_id: nil)
+          return update_access_scopes_for_user_id?(user_id) if user_id
+          return update_access_scopes_for_shopify_user_id?(shopify_user_id) if shopify_user_id
+          raise(InvalidInput, '#update_access_scopes? requires user_id or shopify_user_id parameter inputs')
+        end
+
+        private
+
+        def update_access_scopes_for_user_id?(user_id)
+          user_access_scopes = user_access_scopes_by_user_id(user_id)
+          configuration_access_scopes != user_access_scopes
+        end
+
+        def update_access_scopes_for_shopify_user_id?(shopify_user_id)
+          user_access_scopes = user_access_scopes_by_shopify_user_id(shopify_user_id)
+          configuration_access_scopes != user_access_scopes
+        end
+
+        def user_access_scopes_by_user_id(user_id)
+          ShopifyApp::SessionRepository.retrieve_user_session(user_id)&.access_scopes
+        end
+
+        def user_access_scopes_by_shopify_user_id(shopify_user_id)
+          ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(shopify_user_id)&.access_scopes
+        end
+
+        def configuration_access_scopes
+          ShopifyAPI::ApiAccess.new(ShopifyApp.configuration.user_access_scopes)
+        end
+      end
+    end
+  end
+end

data/lib/shopify_app/configuration.rb

@@ -9,6 +9,8 @@ module ShopifyApp
     attr_accessor :secret
     attr_accessor :old_secret
     attr_accessor :scope
+    attr_writer :shop_access_scopes
+    attr_writer :user_access_scopes
     attr_accessor :embedded_app
     alias_method  :embedded_app?, :embedded_app
     attr_accessor :webhooks
@@ -16,6 +18,8 @@ module ShopifyApp
     attr_accessor :after_authenticate_job
     attr_accessor :api_version
 
+    attr_accessor :reauth_on_access_scope_changes
+
     # customise urls
     attr_accessor :root_url
     attr_writer :login_url
@@ -70,6 +74,16 @@ module ShopifyApp
       ShopifyApp::SessionRepository.shop_storage
     end
 
+    def shop_access_scopes_strategy
+      return ShopifyApp::AccessScopes::NoopStrategy unless reauth_on_access_scope_changes
+      ShopifyApp::AccessScopes::ShopStrategy
+    end
+
+    def user_access_scopes_strategy
+      return ShopifyApp::AccessScopes::NoopStrategy unless reauth_on_access_scope_changes
+      ShopifyApp::AccessScopes::UserStrategy
+    end
+
     def has_webhooks?
       webhooks.present?
     end
@@ -81,6 +95,14 @@ module ShopifyApp
     def enable_same_site_none
       !Rails.env.test? && (@enable_same_site_none.nil? ? embedded_app? : @enable_same_site_none)
     end
+
+    def shop_access_scopes
+      @shop_access_scopes || scope
+    end
+
+    def user_access_scopes
+      @user_access_scopes || scope
+    end
   end
 
   def self.configuration

data/lib/shopify_app/omniauth/omniauth_configuration.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  class OmniAuthConfiguration
+    attr_reader :strategy, :request
+    attr_writer :client_options_site, :scopes, :per_user_permissions
+
+    def initialize(strategy, request)
+      @strategy = strategy
+      @request = request
+    end
+
+    def build_options
+      strategy.options[:client_options][:site] = client_options_site
+      strategy.options[:scope] = scopes
+      strategy.options[:old_client_secret] = ShopifyApp.configuration.old_secret
+      strategy.options[:per_user_permissions] = request_online_tokens?
+    end
+
+    private
+
+    def request_online_tokens?
+      return @per_user_permissions unless @per_user_permissions.nil?
+      default_request_online_tokens?
+    end
+
+    def scopes
+      @scopes || default_scopes
+    end
+
+    def client_options_site
+      @client_options_site || default_client_options_site
+    end
+
+    def default_scopes
+      if request_online_tokens?
+        ShopifyApp.configuration.user_access_scopes
+      else
+        ShopifyApp.configuration.shop_access_scopes
+      end
+    end
+
+    def default_client_options_site
+      return '' unless shop_domain.present?
+      "https://#{shopify_auth_params[:shop]}"
+    end
+
+    def default_request_online_tokens?
+      strategy.session[:user_tokens] && !update_shop_scopes?
+    end
+
+    def update_shop_scopes?
+      ShopifyApp.configuration.shop_access_scopes_strategy.update_access_scopes?(shop_domain)
+    end
+
+    def shop_domain
+      request.params['shop'] || (shopify_auth_params && shopify_auth_params['shop'])
+    end
+
+    def shopify_auth_params
+      strategy.session['shopify.omniauth_params']&.with_indifferent_access
+    end
+  end
+end